Using EnSight with a firewall

How can I use EnSight across a firewall?

Two TCP/IP connections are involved with typical EnSight use. The client contacts the slimd license server via TCP port 7790 to check out a key; and it listens for connections from the server on TCP port 1106. Note that the port used for slimd may be different at your site. The actual number used can be found in the slim8.key on the line beginning with 'slimd' (slim7.key for Ensight versions at or before 7.6.6). It is the number after the word 'slimd'.

If a firewall is between the client computer and slimd computer and/or between the client and the server, then you can use a program such as ssh (Secure Shell) to 'tunnel' the connections through the firewall.

For example, assume that the client will run on host 'C', the server on host 'S', and slimd on host 'K'. Assume that hosts S and K are on a corporate network behind a firewall and that host C is outside of the firewall. To access the internal network from outside, the user should login to host 'S' via ssh.

To make EnSight work in such a configuration, do the following:

1. Make a copy of $CEI_HOME/license8/slim8.key from host K and place it in $CEI_HOME/license8/ on host C. Note: this will be $CEI_HOME/license/slim7.key for versions of EnSight equal to or earlier than 7.6.6.

2. On host C, edit $CEI_HOME/license8/slim8.key and change the hostname on the slimd line to be 'localhost'. This is the third value on the slimd line.

3. On host C set up SSH to forward local port 7790 to host K port 7790 and to forward remote port 1106 to localhost port 1106.

4. Log into host S using SSH with the previous modifications.

ssh -L 7790:K:7790 -R 1106:localhost:1106 hostS

5. Start the EnSight client on host C and have it listen for a manual connection. The client will connect to slimd on 'localhost' which has been tunneled via SSH to host K.

6. Start the EnSight server on host S and have it connect to host localhost. The server will connect to the client via the SSH tunnel from host S to host C.

If you cannot connect directly from host C to host S but must instead go through an intermediate host G, you can still use SSH to connect up the server and client. Once you login to host G using the method previously described, log into host S from G using a second SSH with local port forwarding of 1106 to localhost 1106. This second SSH is necessary, because ssh only listens for connections on the computer you logged into and not for connections from other computers. Once on host S, run the EnSight server and specify 'localhost' as the system to connect to.

Setting up SSH across a firewall with appropriate tunnels can be a bit tricky. Should you encounter problems, be sure to consult with your site's network administrator or check out this book (http://www.oreilly.com/catalog/sshtdg/index.html).